Active Spam Killer takes advantage of the fact that most spammers use invalid or fake "From:" address in their messages.
When a new message arrives and the sender is unknown, ASK sends a "confirmation message" back, informing the sender that the original message has been queued, pending confirmation.
When the sender confirms (a simple reply), ASK delivers the original message and adds the sender to a "whitelist". Further messages from this sender will be immediately delivered.
It is also possible to ignore messages based on specific criteria, like sender's email, subject and so on.
The goal of ASK is to block Spam mail before it is delivered to your mailbox. As we know, filtering alone is not effective since many times Spam mail contains no detectable elements.
ASK should be invoked from .forward (or .procmailrc if you are using procmail). The incoming message should be piped to ASK, which will be in charge of doing the actual delivery.
When ASK receives an email, if first checks the email address against your "ignorelist". If the address is listed there, it's ignored completely. Then, the message is checked against your "blacklist". If it's there, a nastygram is sent back to the sender with something like "Please stop sending me emails" in the Subject line.
The real fun happens when an email comes from an unknown user (i.e, someone not in any of your lists). In this case, ASK calculates the MD5 checksum of the message a secret MD5 key (configured during installation time).
This number is sent as part of a "confirmation message" back to the user. If the user replies to it, the confirmation number (in the subject) is recognized, the message is dequeued and delivered. If the user does not reply, the message remains queued until it's removed.
The program has some intelligence to deal with specific cases. For instance, if a mail is sent to a non-existing user, the error message from mailer-daemon is ignored. This avoids seeing lots of "invalid user" messages in your inbox.
Another interesting "twist" is that messages coming from your own email address are never trusted. If the spammer knows your address he could easily fake your own address as the From: line.
Messages coming from you will be identified by a "mailkey", a piece of string you always put on your message by default (maybe a piece of your own signature). This has the added side-effect of allowing any messages coming in reply to a message you sent to someone (as long as that person keeps your "mailkey" in it's quoted reply, a practice common these days).
The program never deletes any messages. For instance, if you send yourself a message without your mailkey (a possible Spam), it will be saved in a "Junk" mailfolder (you can specify this folder during the configuration).